TCC Bypass via Mounted APFS Snapshot Access

  1[metadata]
  2creation_date = "2020/01/04"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of the mount_apfs command to mount the entire file system through Apple File System (APFS) snapshots
 11as read-only and with the noowners flag set. This action enables the adversary to access almost any file in the file
 12system, including all user data and files protected by Apple’s privacy framework (TCC).
 13"""
 14from = "now-9m"
 15index = ["logs-endpoint.events.*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "TCC Bypass via Mounted APFS Snapshot Access"
 19references = ["https://theevilbit.github.io/posts/cve_2020_9771/"]
 20risk_score = 73
 21rule_id = "b00bcd89-000c-4425-b94c-716ef67762f6"
 22setup = """## Setup
 23
 24This rule requires data coming in from Elastic Defend.
 25
 26### Elastic Defend Integration Setup
 27Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 28
 29#### Prerequisite Requirements:
 30- Fleet is required for Elastic Defend.
 31- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 32
 33#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 34- Go to the Kibana home page and click "Add integrations".
 35- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 36- Click "Add Elastic Defend".
 37- Configure the integration name and optionally add a description.
 38- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 39- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 40- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 41- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 42For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 43- Click "Save and Continue".
 44- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 45For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 46"""
 47severity = "high"
 48tags = [
 49    "Domain: Endpoint",
 50    "OS: macOS",
 51    "Use Case: Threat Detection",
 52    "Tactic: Defense Evasion",
 53    "Use Case: Vulnerability",
 54    "Data Source: Elastic Defend",
 55    "Resources: Investigation Guide",
 56]
 57timestamp_override = "event.ingested"
 58type = "eql"
 59
 60query = '''
 61process where host.os.type == "macos" and event.type in ("start", "process_started") and process.name == "mount_apfs" and
 62 process.args like~ "/System/Volumes/Data" and process.args like~ "noowners"
 63'''
 64note = """## Triage and analysis
 65
 66> **Disclaimer**:
 67> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 68
 69### Investigating TCC Bypass via Mounted APFS Snapshot Access
 70
 71Apple's TCC framework safeguards user data by controlling app access to sensitive files. Adversaries exploit APFS snapshots, mounting them with specific flags to bypass these controls, gaining unauthorized access to protected data. The detection rule identifies this misuse by monitoring the execution of the `mount_apfs` command with parameters indicative of such bypass attempts, flagging potential security breaches.
 72
 73### Possible investigation steps
 74
 75- Review the process execution details to confirm the presence of the `mount_apfs` command with the specific arguments `/System/Volumes/Data` and `noowners` to verify the alert's accuracy.
 76- Investigate the user account associated with the process execution to determine if the activity aligns with expected behavior or if it indicates potential unauthorized access.
 77- Examine the timeline of events leading up to and following the alert to identify any related suspicious activities or processes that may indicate a broader attack or compromise.
 78- Check for any recent changes or anomalies in system configurations or user permissions that could have facilitated the bypass attempt.
 79- Correlate the alert with other security logs or alerts to assess if this is part of a larger pattern of malicious behavior or an isolated incident.
 80
 81### False positive analysis
 82
 83- System maintenance tools or backup software may legitimately use the mount_apfs command with the noowners flag for routine operations. Users can create exceptions for these specific tools by identifying their process names or paths and excluding them from the detection rule.
 84- Developers or IT administrators might use the mount_apfs command during testing or troubleshooting. To prevent these activities from triggering false positives, users can whitelist specific user accounts or IP addresses associated with these roles.
 85- Automated scripts or scheduled tasks that require access to APFS snapshots for legitimate purposes might trigger the rule. Users should review these scripts and, if deemed safe, add them to an exclusion list based on their unique identifiers or execution context.
 86- Security software or monitoring tools that perform regular checks on file system integrity might inadvertently match the rule's criteria. Users can mitigate this by identifying these tools and excluding their specific process signatures from the detection parameters.
 87
 88### Response and remediation
 89
 90- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or data exfiltration.
 91- Terminate any suspicious processes related to the `mount_apfs` command to halt ongoing unauthorized access attempts.
 92- Conduct a thorough review of system logs and user activity to identify any data accessed or exfiltrated during the breach.
 93- Restore any compromised files from a known good backup to ensure data integrity and security.
 94- Update macOS and all installed applications to the latest versions to patch any vulnerabilities that may have been exploited.
 95- Implement stricter access controls and monitoring for APFS snapshot usage to prevent similar bypass attempts in the future.
 96- Escalate the incident to the security operations center (SOC) or relevant IT security team for further investigation and to assess the need for additional security measures."""
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1006"
103name = "Direct Volume Access"
104reference = "https://attack.mitre.org/techniques/T1006/"
105
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"